juice-shop

1
/*
2
 * Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3
 * SPDX-License-Identifier: MIT
4
 */
5

6
import frisby = require('frisby')
7
const Joi = frisby.Joi
8
const security = require('../../lib/insecurity')
9

10
const API_URL = 'http://localhost:3000/api'
11

12
const authHeader = { Authorization: 'Bearer ' + security.authorize(), 'content-type': 'application/json' }
13

14
describe('/api/PrivacyRequests', () => {
15
  it('POST new complaint', () => {
16
    return frisby.post(API_URL + '/PrivacyRequests', {
17
      headers: authHeader,
18
      body: {
19
        UserId: 1,
20
        deletionRequested: false
21
      }
22
    })
23
      .expect('status', 201)
24
      .expect('header', 'content-type', /application\/json/)
25
      .expect('jsonTypes', 'data', {
26
        id: Joi.number(),
27
        createdAt: Joi.string(),
28
        updatedAt: Joi.string()
29
      })
30
  })
31

32
  it('GET all privacy requests is forbidden via public API', () => {
33
    return frisby.get(API_URL + '/PrivacyRequests')
34
      .expect('status', 401)
35
  })
36
})
37

38
describe('/api/PrivacyRequests/:id', () => {
39
  it('GET all privacy requests is forbidden', () => {
40
    return frisby.get(API_URL + '/PrivacyRequests', { headers: authHeader })
41
      .expect('status', 401)
42
  })
43

44
  it('GET existing privacy request by id is forbidden', () => {
45
    return frisby.get(API_URL + '/PrivacyRequests/1', { headers: authHeader })
46
      .expect('status', 401)
47
  })
48

49
  it('PUT update existing privacy request is forbidden', () => {
50
    return frisby.put(API_URL + '/PrivacyRequests/1', {
51
      headers: authHeader,
52
      body: {
53
        message: 'Should not work...'
54
      }
55
    })
56
      .expect('status', 401)
57
  })
58

59
  it('DELETE existing privacy request is forbidden', () => {
60
    return frisby.del(API_URL + '/PrivacyRequests/1', { headers: authHeader })
61
      .expect('status', 401)
62
  })
63
})
64